Posted
by
Soulskill
on Friday September 18, 2009 @06:58PM
from the no-news-is-good-news dept.

darthcamaro writes "While the internet may know no borders, the US government does. There are a number of rules that affect software vendors, including encryption export regulations from the US Department of Commerce and export sanctions by the Department of Treasury. But what do you do when your application is open source and freely available to anyone in the world? Do the same the rules apply? It's a question that Mozilla asked the US government about. The answer they received could have profound implications not just for Firefox but for all open source software vendors. 'We really couldn't accept the notion that these government rules could jeopardize the participatory nature of an open source project, so we sought to challenge it,' Harvey Anderson, VP and General Counsel of Mozilla, told InternetNews.com. 'We argued that First Amendment free speech rights would prevail in this scenario. The government took our filing and then we got back a no-violation letter, which is fantastic.'"

Oh wow... Either/. searches and penalises for the letters f-i-r-s-t appearing in a primary post, or I just got bitchslapped at the speed of light.

I apologise.

Also, I should also mention the fact that legislation against encryption is ridiculously counter-productive; if the feds are after someone for any good reason, and that person is a criminal, they aren't going to respect such a restriction if they're already violating more serious laws. If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

That is why most companies do any crypto work offshore. It avoids this stupid law altogether as it can be freely imported. The result is the best crypto in the world is imported to the US. In fact, I don't trust crypto with origins in the US. You know, NSAKey and all.

If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

Yeah, that's why the export restrictions were lifted in the late 90s. Because all it was doing was hurting our domestic encryption companies. Back then, when Mozilla was still Netscape, you had to assert that you were in the U.S. or download a version with weaker encryption. Free software that used strong encryption had to be hosted on sites outside the U.S.

That was over 10 years ago. Now we still have restrictions about exporting to certain not-our-friend countries, but ultimately that's because (despite more cynical interpretations) we know that they can get this technology without our assistance, but that doesn't mean we're going to hand it to them.

But while that makes sense for some technologies, it doesn't make much sense for a free software browser implementing SSL because for one there are plenty of other SSL implementations out there and for two us not handing it to them only leaves, oh, about a billion others more than happy to allow downloads from Iran.

So look at that -- perhaps technically against the rules, but practically meaningless, and in the spirit of the law they decided there was no problem. Someone in the Commerce Department was wearing their thinking cap! Good for them, and good for Mozilla.

Not true. Applied Cryptography contains only the weaker version of RSA in sample code (listings in a book, not compiled code) to get around export restrictions. To demonstrate how stupid these laws are, the key length is a constant at the start of the program. If you changed it from 128 to 1024, the book became illegal for export, but you could distribute the book with 128 as the constant and let people outside the USA change it to 1024 when they typed it in without any problems.

Also, I should also mention the fact that legislation against encryption is ridiculously counter-productive; if the feds are after someone for any good reason, and that person is a criminal, they aren't going to respect such a restriction if they're already violating more serious laws. If all they succeed in doing is reducing legitimate commercial trade in such products, they're hurting themselves but at the same time improving the market tremendously for illicit dealers (note this observation applies to drugs as well, hmm).

If similar decisions by the BATFE are any indication, the State department (or whoever decided this) is going to turn around in a year or two and decide that it is export-restricted... and then make Mozilla run around and delete it from every computer outside the US or something.

I know I'm taking that cartoon way too seriously, but what the hell. The 2nd amendment doesn't guarantee people to right to export arms from the US.:-) US citizens already have the ability to 'keep and bear crypto', WITHIN the US.

The comic is also wrong. Strong crypto is still illegal to export from the US to any country under arms embargo. It is not illegal to export to other countries (it was until the mid '90s). It used to require an arms export license, and now it doesn't, but it is still regulated and still counts as a munition when exporting to embargo'd countries.

if firefox is shielded from these export restrictions because of first amendment protection wouldn't any open source implementation of strong encryption also be protected? wouldn't this make those export restrictions very nearly mute?

I don't think this argument was made. The argument made was about freedom of speech. This is very interesting and profound. Speech is protected but different kinds of speech are protected differently. The stereotypical "shouting fire" to cause a panic isn't at all. At the other end, most systems, especially the USA legal system protect political speech very much. Practical proprietary programming where you don't communicate except inside your courporation and to your compiler is probably difficult to

Well, I was speaking more of the restriction on crypto export as a whole - and why this would be an exception. I was just discounting the whole Free Speech argument for the sake of a less Utopian reasoning. It is the Government, after all:)

1. That's a pretty strong statement to make without any backing.2. You assume by "us" I meant the USA. I did, but my statement was neutral. I could have just as easily been speaking from Australia's perspective.

While PP's correction of GP's improper choice of homonym is laudable, the incorrect definition PP provides, and the tacit approval of GP's errant usage that stems from that, are unfortunate. Give PP 1 point, but take away 2 points.

When you're correcting someone's correction, you really should double-check your assertions to make sure you're not talking crass nonsense, especially if you do it in that tone.

Your point:

However while "moot" can take several different meanings, "Of no practical importance; irrelevant" is not one of them.

Yet the Webster's New Universal Unabridged Dictionary, 2nd ed, 1983, (Simon and Schuster) hasmoot, a. subject to or open for discussion or debate; debatable.
Nothing more, nothing less, despite 6 column-inches of small type devoted to the various noun and verb forms of the word, none of which come close to suggesting "deprived of practical significance...."

Throughout the 20th century, some non-Merriam editions, such as Webster's New Universal, were closer to Webster's work than modern Merriam-Webster editions. Indeed, further revisions by Merriam-Webster came to have little in common with their original source

Seriously, it also (if the original poster is able to take criticism) helped them avoid this mistake in the future, potentially in front of a prospective client/etc.

There's a big difference between a typo or otherwise one-off failure and mistaking one word for another. It's nitpicking over typos because it's unlikely someone thinks 'teh' is correct, but when they use a word like mute in place of moot - not easily mistyped but easily mistaken - it's usually an indicator that they don't know better.

No, "irregardless" is a nasty habit. Mistaking there or their for they're or any combination thereof is a nasty habit, since it's usually laziness that drives people to use the spelling without the apostrophe.

Using mute for moot is like using affect instead of effect: a sign of ignorance. And as we all understand inherently, the best thing with which to counter ignorance is knowledge.

if firefox is shielded from these export restrictions because of first amendment protection wouldn't any open source implementation of strong encryption also be protected? wouldn't this make those export restrictions very nearly mute?

Don't people remember what happened with Phil Zimmerman over PGP?

The munitions classification on encryption software was used against him for posting the PGP source code on Usenet. They really, really wanted to nail him to the wall over that one.

There was a certain irony in the restrictions on exporting crypto software deemed 'munitions'. You could take the source, publish it as a book in an OCR font (with the page numbers between comment delimiters), and export it anywhere in the world.

What possible use would having the boss of Verisign in their back pocket be?

Verisign fulfills a 'trust provider' function by signing people's website certificates. The only use for that would be to have a clean certificate for, say, a typosquatting site.

If you had control of a CA's key — and I think it should be treated as obvious that the NSA could get one — you could write fake certificates. So say someone goes to https://evil.com/ [evil.com] and the government wants to spy. They can order the ISP to secretly log all the traffic, but it's worthless: the traffic is encrypted. You could provide a fake certificate, but then scary warnings would go up about domain name mismatches or whatever. But if you have a recognized CA's key, you can make your own

Or some way to break the encryption, eg. they've got the boss of Verisign in their back pocket.

Um, VeriSign is a US company. All the governments needs is a warrant (and possibly not even that) to get them to hand over the keys. This is hardly a revelation. If you don't trust the US government, you can't trust any company based in the US either, because their executives are not likely to want to get hauled off to jail for not cooperating with law enforcement agencies.

Besides, SSL is based on stuff like RSA, AES, and so on. The NSA has approved those for use with confidential government data. It

However, that exemption is nullified if the source code is distributed to any of the countries on the U.S embargo list, such as Cuba, Iran or North Korea.

Huh. I didn't realize that Cuba, Iran, and North Korea didn't have any mathematicians or anyone else that is capable of developing their own cryptography. Or that other countries that do not have a problem with those particular countries do not have that expertise either. I guess the US has a monopoly on that talent. It's a good thing that the US Government is embargoing crypto. It worked great for nuclear bomb technology after all!

I didn't realize that Cuba, Iran, and North Korea didn't have any mathematicians or anyone else that is capable of developing their own cryptography

Honestly? They probably don't. None of the encryption algorithms used by the US government are entirely US-made. They are the result of collaboration and review between mathematicians in the US, the EU, and even Russia and China. Even then, there have still been vulnerabilities related to slightly flawed implementations of the algorithms, though the algorithms themselves are (believed to be) sound.

Of course, that doesn't alter the fact that the embargo is stupid, especially given the fact that all of

and no, not everyone has nuclear technology, but containment of the information, which has been our national security strategy, obviously isn't working, or the news wouldn't be so full of reports of countries happy to show off their newly developed technology. Strangely it's somewhat difficult to keep the laws of nature a secret.

I could maybe understand this law making sense in the cold war era, and/or as it relates to hardware crypto, but it seems pretty irrelevant and ignorant for them to try and restrict the exchange of digital informa-- I'm sorry, for a second there I was thinking that politicians and legislators actually had a grasp on reality, please excuse my momentary lapse.

Can you imagine the political difficulties in trying to reduce ITAR restrictions? Even if a politician does recognize that reform is needed, its unlikely they'll have the guts to do it, since the attack ads are so easy to write. Remember, ITAR stands for International Trade in Arms Restrictions. No one wants to be pro-proliferation.

We deal with the same things in the space industry, since rockets tend to resemble missiles. ITAR is ultimately a stranglehold on American businesses in a globalized world an

I work in Aerospace and it is much the same. The loss to US business is not that bad because ITAR extends to any business which deals with the USA. So most external competitors will be subject to the same laws.

The loss to US businesses is in the overhead of ensuring compliance. The cost of non-compliance is incredibly high; my company is currently listed as a restricted company because someone forgot to label some component specs that were covered under ITAR, and those specs then were sent to a non-US company. We now have to waste almost an hour a month on training that basically boils down to "If you're sending something outside the company, make sure to clear it with Trade Compliance first." Not to mention the

... that an innovative business like Mozilla needs to live in fear of the government and nervously await its blessing.

You mean just like regular citizens need to "live in fear of the government" when they break the law? You forget that every country has to have laws whether to protect its own citizens from themselves or from outside entities. There are also laws for corporations. There is no living in fear however. It is called simply "don't break the law" in this case. Other companies don't have issues with the export restrictions. It is a CYA thing related to national security. Would you want to be the person who allowe

A virtual country to own virtual propery, including software as this. A country which by definition has no rules of any kind, and is outside of every jurisdiction, because you can't sue or attack anyone from it. It would work like an encrypted multi-mirrored darknet. Every real server participating, would store a set of "random noise" data blocks on his systems. Nobody could decrypt it, including that server. Only people inside the darknet with access to their private block could. Nobody could delete it, because there would always be at least 3 copies, floating in the darknet, encrypted differently, so that you would not be able to know that they contain the same data.

As an easter egg it would contain a honeypot, which would contain only one short sentence: "NOW WHAT, BITCHES?";)

The hard problems for such a network involve things like searching and routing. Freenet isn't exactly fast, but it's worlds more secure than anything else for this sort of thing (even so, it's far from perfect). It's also quite usable for things like browsing freesites (Freenet-hosted websites), and publishing controversial content (though large, unpopular files don't stay around forever, due to limits on disk space (and probably some bugs, but we're working on those)).

Getting an approval by local laws saying that local laws don't apply? Looks pretty much to the liar paradox. Or local laws (as in US country laws, like the ones that forbids exporting crypto) don't apply or apply (like the US country laws that gives the 1st amendment),

If you want to push that open source projects, developed with the cooperation from people from all countries are not restricted to the laws of a single country, thats ok, no need to put a country-specific 1st amendment to justify it. Else the exporting crypto restrictions could be applied but was made an exception in hat case.

Prior to the release of Debian 3.1, United States laws placed restrictions on the export of certain defense articles, which, unfortunately, included some types of cryptographic software. PGP and SSH, among others, fell into this category. It was legal however, to import such software into the US.

To prevent anyone from taking unnecessary legal risks, some Debian packages were only available from a site in Leiden, The Netherlands, until the release of Debian 3.1, which incorporates this software thanks to changes in United States law.

You should not need the non-US archive unless you are using a version of Debian from before Debian 3.1.

Debian 3.1 corresponds to 2005. I'm amazed that Mozilla was unaware of this and needed to ask someone.

They don't need to ask someone, but for open source code there is still a requirement to notify the Department of Commerce's Bureau of Industry and Security. Beyond that notification, no review is needed (and it's just a notification, not a request for permission).

Ho-hum. Unrestricted export of open-source products incorporating encryption from the US has been legal for quite a while. All you have to do is file an application with the Feds under the Export Regs Section 740.13 "TECHNOLOGY AND SOFTWARE -- UNRESTRICTED (TSU)" before you make the source and binaries available, and you don't have to screen downloads or worry if the Officially Designated Bad Guys download your code: your ass is covered.

This war was won a loooong time ago by Philip Zimmermann [wikipedia.org] when the Feds wanted to crush him for releasing PGP. All props go to Phil!

Section 740.13 (e) "(6) "Knowledge" of a prohibited export or reexport. Posting of source code or corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport. See Section 740.13(e)(4) of the EAR for prohibited knowing exports to Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under

Phil didn't win anything for anybody, at least not for a long long time. The Info-ZIP Workgroup went through the same grief back in the 80's when we were trying to back-engineer Phil Katz' ZIP / UNZIP utilities, porting them to virtually every known operating system in the world.

We got unofficial rumbles from US Customs, NSA, etc. that they would crush our virtual fingers if we dared release source code (and everything in Info-ZIP was full open source) for the ZIP encryption. (PKWare had restrictions too a

"The government took our filing and then we got back a no-violation letter, which is fantastic.'"

Mozilla basically asked if it would be okay if Mozilla (not you, not me, not everybody else) could put strong encryption in their software. They didn't get a court ruling--they got permission. And there's nothing wrong with that, but it doesn't mean they are some champions of free speech rights. No, it means that they have successfully looked after their own interests. And other, particularly smaller, open source developers shouldn't expect to have the same good fortune in getting permission.

Not to be too grumpy. It is good news that somebody was exempted from a stupid regulation.

I remember sometime back in the dark ages when I upgraded Netscape to 64 or 128 bit encryption and you had to do a song and dance saying "Yes, I live in America" to download the new version. Does the government really think that only the US can come up with tough-to-break encryption schemes?

Open source projects have been exempted by the US from crypto export restrictions for years.

Yes, but not to embargoed countries like Cuba, Iran, and North Korea. Mozilla consulted with the Federal Government after becoming aware of downloads to Iran.

From TFA, "During a recent Firefox download event, Mozilla posted a map on its Web site showing where downloads were occurring. Anderson said it became clear that a substantial number of downloads were coming from Iran. Mozilla then had knowledge that it was exp

NO MONEY... NO FOULA lot of posters (all of them) are mixing up 2 issues. The problem here is not that the crypto functions were exported from the US. The problem is that US companies are not permitted to do business with, for example, people or companies located with Iran.

When you make a product available on the internet, even a free one, people download it from all over and this could be considered "doing business" and IP filters are a rather silly way to try to stop it. The more straightforward app